Fizzer stealth worm spreads via KaZaA

Discussion in 'malware problems & news' started by ladyjeweler, May 12, 2003.

Thread Status:
Not open for further replies.
  1. ladyjeweler

    ladyjeweler Registered Member

    Joined:
    Feb 22, 2003
    Posts:
    23
    Location:
    North Carolina
    Fizzer stealth worm spreads via KaZaA
    http://www.theregister.co.uk/content/56/30659.html

    Fizzer stealth worm spreads via KaZaA
    By John Leyden
    Posted: 12/05/2003 at 12:16 GMT

    Yet another Internet worm has been discovered spreading through the KaZaA P2P file-sharing network.

    Fizzer, which can spread via email as well as over file sharing networks, is more dangerous that most such worms because its malicious code includes key logging and Trojan functionality.

    The worm normally arrives at the target computers as an executable file and activates when a user launches it.

    Russian AV firm Kaspersky Labs said today that it has received confirmed reports of infections by Fizzer. However indications are that the spread of the worm is modest, at worst.

    So there's no need to panic.

    To spread via email, Fizzer scans the addresses in a victim's Outlook and Windows address books or it randomly attacks email addresses in public email systems such as hotmail.com and yahoo.com. Next, the worm, in the name of the computer owner, clandestinely sends out infected messages using different subjects, message texts and file attachment names.

    To spread via KaZaA, Fizzer creates multiple copies of itself under random names, and places these files in the victim computer's dedicated KaZaA file-sharing folder. By doing so, Fizzer becomes "available" to all other network participants.

    Fizzer carries a dangerous payload that can cause confidential data to be leaked from infected computers. The worm installs a keyboard-logging program that intercepts and records all keyboard strokes in a separate log file. To transmit this information, Fizzer loads a backdoor utility that allows crackers/VXers to control a computer via IRC channels.

    Additionally, the worm regularly connects with Web page located on the Geocities server from which it attempts to download updated version of its executable modules.

    In an attempt to foil detection, Fizzer also attempts to shut down an array of widely used anti-virus programs that might be running on a victim's PC.

    A write-up of the worm by Kasperky gives more information.

    To avoid infection users are advised to apply standard precautions. Avoid open unsolicited attachments, even when they appear to come from people you trust, and update AV tools to detect the worm. AV vendors are in the process of updating signature definitions to recognise Fizzer.

    It's still possible to remove the worm if you get infected but prevention is far easier than cure.

    Using P2P networks as a vector for viral propagation has become a popular trick of late.

    In February, the Igloo worm (which falsely promised racy pictures of celebrity nudes) spread through KaZaA. In August 2002, the Duload worm used attempted similar propagation tactics.

    Before that we had the (awkwardly named) Backdoor.K0wbot.1.3.B and Benjamin worm.

    So Fizzer is just the latest in a long and ignoble line. However its use of random names and payload makes it more stealthy and dangerous than most of its predecessors. ®
     
  2. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    W32/Fizzer-A

    Aliases
    I-Worm.Fizzer, W32/Fizzer.gen@MM, W32.HLLW.Fizzer@mm, WORM_FIZZER.A

    Description
    W32/Fizzer-A is a worm with IRC backdoor Trojan functionality. The worm spreads by emailing itself to contacts in the Microsoft Outlook and Windows address books and to random email addresses at the following domains:

    msn.com
    hotmail.com
    yahoo.com
    aol.com
    earthlink.net
    gte.net
    juno.com
    netzero.com

    The email subject line, message text and attachment name are randomly constructed using long lists of strings.

    Example message text strings are:

    "So how are you?"
    "Check it out"
    "There is only one good, knowledge, and on evil, ignorance"
    "I sent this program (sparky) from anonymous places on the net"
    "you must not show this to anyone"
    "Today is a good day to die"
    "thought I'd let you know"
    "The way to gain a good reputation is to endeavor to be what you desire ..."
    "Filth is a death"
    "wie geht es Ihnen?"
    "Philosophy imputes, reinterprets faith"
    "If you don't like it, just delete it"
    "delete this as soon as you lokk at it"
    "Did you ever stop to think that viruses are good for the economy? ..."
    "the incredibly bright faith"
    "you don't have to if you don't want to"
    "I wonder what can be so bad ..."
    "Watchin' the game, having a bud."
    "the attachment is only for you to look at"
    "Let me know what you think of this..."

    more: http://www.sophos.com



    Technodrome
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,840
    Location:
    New England
  4. SmackDown

    SmackDown Guest

    Free cleaner here also. http://www.kittanning-pa.com/downloads.html
     
  5. jump

    jump Registered Member

    Joined:
    Nov 21, 2002
    Posts:
    5
    Oops... I was thinking of getting Kazaa today.

    will NAV automatically detect this virus if it is downloaded through Kazaa or do I need to scan them manually after downloading?
     
  6. controler

    controler Guest

    If you have to get KaZaA, get KaZaA Lite.
    it comes with a host file for some pop-ups and a small firewall.
    The producer has a big writ-up on his page about syyware and
    gives download links to Spybot S&D and Ad-Aware

    If you want to test your AV. Try downloading any of the New WinRar versions through KaZaA. It appears
    NOD32 is catching a dropper on every one. I wrote to NOD support about this but nerv heard back.
    SInce the young are bound a determined to use KaZaA, we need to make it as secure as we can ;)
     
Loading...
Thread Status:
Not open for further replies.